Threat Evasion for aws:multifactorAuthPresent condition using Cloudshell

Further Thinking

  • Creating a lambda policy where ListFunctions and GetAccountSettings call need the user to have MFA enabled.
Lambda IAM policy
  • With the policy enforced, we can list out the lambda functions from the aws console
Listing lambda functions from aws console
  • When we try to list lambda functions using programmatic access we get an Access Denied.
Listing lambda functions from programmatic access

Attack Vector

  • Generating session tokens from cloudshell
Generating session tokens from cloudshell
  • Listing lambda functions with the session token generated earlier
Listing lambda function from session token assumed


CloudTrail logs
PutCredentials in cloudshell




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Application Security Engineer | Penetration Tester | NET+ | SEC+ | CEH | paWASP